This report details the significant cybersecurity threat landscape observed between July 7 and July 14, 2025. The week was characterized by major disclosures of data breaches in the retail and transportation sectors, critical software vulnerabilities, and the continued evolution of ransomware and other malware.
Top Stories:
Qantas Airways confirmed a significant data breach impacting 5.7 million customers, attributed to the social engineering group Scattered Spider.
Luxury brand Louis Vuitton disclosed a data breach affecting customers in multiple countries, stemming from a compromised third-party service provider.
Microsoft’s July Patch Tuesday addressed 137 vulnerabilities, including a publicly disclosed zero-day in SQL Server (CVE-2025-49719) that allows for information disclosure without authentication.
A critical remote code execution (RCE) vulnerability in Wing FTP Server (CVE-2025-47812) is being actively exploited in the wild.
Dominant Trends:
Supply Chain and Third-Party Risk: Multiple incidents this week, including the Louis Vuitton breach, originated from compromised third-party vendors, highlighting the persistent risk within interconnected digital ecosystems.
Sophisticated Social Engineering: The Qantas breach underscores the effectiveness of human-centric attacks, with threat actors successfully targeting call center operations to gain initial access.
Ransomware Targeting Public Sector: The “Inc” ransomware group’s attack on the Pierce County Library System continues the trend of targeting organizations with limited resources but high-value data.
Key Vulnerabilities:
CVE-2025-49719 (Microsoft SQL Server): A high-severity information disclosure flaw that is easy to exploit against internet-facing servers.
CVE-2025-47812 (Wing FTP Server): A critical RCE vulnerability with a perfect 10.0 CVSS score, allowing complete system takeover.
CVE-2025-47981 (Windows SPNEGO): A critical RCE vulnerability with a 9.8 CVSS score, posing a significant risk to Windows environments.
Noteworthy Threat Actors:
Scattered Spider (UNC3944): This group remains highly active, demonstrating sophisticated social engineering tactics targeting large enterprises, particularly their help desks and third-party service providers.
Inc Ransomware: This group continues its “spray-and-pray” approach, targeting a wide range of industries with a focus on entities that are more likely to pay a ransom to restore services quickly.
Pay2Key: This Iranian-backed ransomware-as-a-service (RaaS) has resurfaced, offering increased financial incentives for attacks targeting entities in the United States and Israel, indicating a potential increase in politically motivated cyberattacks.
.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
The events of this week are shaped by several dominant macro trends: the use of cyberspace as an arena for geopolitical conflict, the weaponization of trust and process by sophisticated criminals, and the systemic risk posed by supply chain and network edge compromises.
Nation-State Cyber Operations as Statecraft: Adversarial nation-states are increasingly leveraging cyber capabilities as an integral component of their strategic objectives. The re-emergence of the Iranian-backed Pay2Key RaaS, with explicit targeting guidance against US and Israeli entities, exemplifies the use of financially-motivated criminal proxies to achieve geopolitical goals. This reality demands nuanced threat models tailored to specific geopolitical risks and actor TTPs.
Weaponization of Trust and Process: Sophisticated criminal groups like Scattered Spider are methodically exploiting human trust and institutional pressures within corporate IT support processes. They “weaponize trust” by manipulating help desk staff who are culturally conditioned to provide rapid support, bypassing technical controls through advanced social engineering as seen in the Qantas breach.
“Living off the Land” at the Network Edge: A strategic shift toward compromising the network fabric itself is evident. By exploiting vulnerabilities in edge devices like FTP servers (e.g., Wing FTP), attackers use built-in device functionalities (“living off the land”) to evade detection and gain a privileged foothold, bypassing traditional endpoint security.
AI-Augmented Social Engineering: Artificial Intelligence is being operationalized by attackers to perfect deception at scale. AI is used to craft highly convincing and personalized phishing emails and vishing scripts, amplifying the effectiveness of social engineering TTPs and rendering traditional security awareness training increasingly obsolete.
Cascading Supply Chain & Cloud Security Risks: The security posture of an organization is inextricably linked to its digital ecosystem. The profound risk of supply chain compromise is a major vulnerability, as seen in the Louis Vuitton breach which originated from a third-party supplier. This concern is widely shared, with a majority of large organizations identifying supply chain challenges as a primary barrier to achieving cyber resilience.
III. NOTABLE INCIDENTS AND DATA BREACHES
Qantas Airways:
Date Confirmed: July 9, 2025
Impact: 5.7 million customer records, including names, contact information, dates of birth, and Frequent Flyer details. Financial data and passwords were not compromised.
Details: The attack originated from a third-party customer servicing platform used by a call center in Manila. Threat actor Scattered Spider is believed to be responsible, using vishing (voice phishing) to gain initial access.
Louis Vuitton:
Date Disclosed: July 14, 2025
Impact: Customer data including names and contact information. Financial data and passwords were not compromised. The breach affected at least 143,000 residents in Turkey, with other countries including the UK and South Korea also impacted.
Details: The breach was traced back to a compromised account related to a third-party service provider. The initial intrusion occurred nearly a month before it was detected on July 2nd.
Pierce County Library System (Washington, USA):
Date Disclosed: July 10, 2025
Impact: Over 336,000 individuals were notified of a ransomware attack. Exposed data includes names, dates of birth, and images of driver’s licenses and passports.
Details: The “Inc” ransomware group claimed responsibility for the attack, which occurred in April 2025. The group posted stolen data on their leak site.
Nippon Steel Solutions (Japan):
Date Disclosed: July 10, 2025
Impact: Potential leakage of personal data belonging to customers, partners, and employees.
Details: The breach resulted from the exploitation of a zero-day vulnerability in the company’s network equipment, allowing for unauthorized access.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
Disclosure Date
Organization / Victim
Sector
Country
Incident Type / Threat Actor
Known Impact
July 14
Louis Vuitton
Retail (Luxury)
Global
Third-Party Breach
Customer PII (names, contact info)
July 10
Pierce County Library
Government (Public)
USA
Ransomware (Inc Ransom)
>336,000 individuals’ PII exposed
July 10
Nippon Steel Solutions
Manufacturing
Japan
Zero-Day Exploit
Employee/Customer data leakage
July 9
Qantas Airways
Transportation
Australia
Social Engineering (Scattered Spider)
5.7 million customer records
July 8
Microsoft Patch Tuesday
Software
Global
Vulnerability Disclosure
137 vulnerabilities, 1 zero-day
June 30
Episource LLC
Healthcare (Vendor)
USA
Ransomware
5.4 million individuals’ PII/PHI
June 26
Ahold Delhaize (USA)
Retail (Supermarkets)
USA
Ransomware (INC Ransom)
2.2 million individuals’ data
June 19
Mass Credential Leak
N/A (All sectors)
Global
Data Leak (Compilation)
16 billion username/password pairs
June 18
Nobitex
Financial (Crypto)
Iran
Hacktivism (Predatory Sparrow)
$90 million in crypto destroyed
June 17
Bank Sepah
Financial (Banking)
Iran
Hacktivism (Predatory Sparrow)
Service disruption; data destruction
V. CURRENT THREAT LANDSCAPE ANALYSIS
This week is defined by the active, in-the-wild exploitation of several critical vulnerabilities affecting widely deployed enterprise products. CISA’s addition of similar flaws to its KEV catalog in recent weeks underscores the immediate and severe risk they pose to organizations globally.
CVE-2025-47812: Wing FTP Server (Actively Exploited)
Description: A critical (CVSS 10.0) null-byte injection vulnerability in the web interface of Wing FTP Server. The flaw allows an unauthenticated, remote attacker to inject arbitrary Lua code into user session files.
Impact: This leads to remote code execution with the highest privileges (SYSTEM on Windows, root on Linux), giving an attacker complete control over the server. This is a classic “network edge” compromise, providing a perfect pivot point into an internal network.
Status: Huntress researchers observed active exploitation just one day after the vulnerability’s public disclosure. Attackers were seen using the exploit to create new user accounts for persistence. This vulnerability is trivial to exploit and automated scanning is likely underway.
CVE-2025-49719: Microsoft SQL Server (Publicly Disclosed Zero-Day)
Description: A high-severity (CVSS 7.5) information disclosure vulnerability. An unauthenticated attacker can send a specially crafted login request to an SQL server, causing it to return uninitialized memory.
Impact: The leaked memory can contain sensitive data fragments, including connection strings, database information, and credentials. While Microsoft rates exploitation as “less likely,” the lack of authentication makes it an attractive target for mass scanning, especially against cloud-hosted SQL instances.
Status: Disclosed as part of Microsoft’s July 8th Patch Tuesday. While no active exploits have been publicly confirmed, proof-of-concept code is likely to be developed quickly given the simplicity of the attack vector.
VI. CRITICAL VULNERABILITIES AND CVEs
CVE ID
Vulnerability Name
Vendor/Product
CVSS 3.1 Score
Remediation Advice
CVE-2025-47812
Wing FTP Server Remote Code Execution
Wing FTP
10.0 (Critical)
Patch Immediately. Update to version 7.4.4 or later. This is actively exploited.
CVE-2025-47981
Windows SPNEGO RCE
Microsoft Windows
9.8 (Critical)
Apply July 2025 security updates.
CVE-2025-49704
Microsoft SharePoint RCE
Microsoft SharePoint
8.8 (High)
Apply July 2025 security updates.
CVE-2025-49695
Microsoft Office RCE
Microsoft Office
8.4 (High)
Apply July 2025 security updates.
CVE-2025-49719
Microsoft SQL Server Info Disclosure
Microsoft SQL Server
7.5 (High)
Apply July 2025 security updates. Restrict public access to port 1433.
The vulnerabilities reported this week pose a serious and immediate threat to enterprise systems, and require urgent action from security teams.
One major concern is the active, in-the-wild exploitation of the critical Wing FTP vulnerability (CVE-2025-47812)—just 24 hours after it was publicly disclosed. At the same time, a zero-day vulnerability in Microsoft SQL Server (CVE-2025-49719) was also publicly revealed. These two events highlight a disturbing reality: the grace period between a vulnerability being disclosed and being exploited is now almost zero.
Attackers are moving faster than ever, often weaponizing new exploits within hours. This rapid pace has made traditional, reactive patching cycles ineffective.
What makes these flaws especially dangerous is their impact on core systems:
Internet-facing file transfer servers (like Wing FTP), which often serve as entry points into internal networks.
Critical database systems (like SQL Server), which store an organization’s most sensitive information.
Given the widespread use of these platforms, the risk is not limited to a few organizations—it’s global. Security teams must prioritize fast, intelligence-led patching and mitigation strategies to stay ahead and prevent potentially catastrophic breaches.
VII. THREAT ACTOR ACTIVITIES
Understanding the adversaries behind the attacks is critical to tailoring effective defenses. This week, activities by Scattered Spider and the re-emergence of Pay2Key are particularly noteworthy.
Profile: Scattered Spider (UNC3944, Octo Tempest)
Attribution and Mandate: A highly proficient, financially motivated cybercriminal group known for its expertise in social engineering. Originally focused on SIM-swapping, the group has evolved into a sophisticated enterprise threat, conducting large-scale data theft and ransomware campaigns.
Key Tactics, Techniques, and Procedures (TTPs) mapped to MITRE ATT&CK®:
Initial Access (TA0001): The group’s hallmark is Phishing: Spearphishing Voice (T1566.004), targeting IT help desks and BPO call centers, as seen in the Qantas breach. They impersonate employees needing assistance to gain credentials and bypass MFA.
Credential Access (TA0006): They are adept at Multi-Factor Authentication Request Generation (T1621), spamming users with MFA push notifications to induce “MFA fatigue” and trick them into approving access.
Defense Evasion (TA0005): They frequently use legitimate remote monitoring and management (RMM) tools like AnyDesk and TeamViewer to blend in with normal administrative activity (Masquerading: T1036).
Exfiltration (TA0010): Data is often exfiltrated to commercial cloud storage services like Mega and GoFile.io (Exfiltration Over Web Service: T1567.002).
Impact (TA0040): The group is flexible with its final objective, often engaging in Data Encrypted for Impact (T1486) using various ransomware payloads (ALPHV/BlackCat, DragonForce) or simply extorting victims with the threat of leaking stolen data.
Profile: Pay2Key Ransomware
Attribution and Mandate: An Iranian-backed Ransomware-as-a-Service (RaaS) operation. Its re-emergence is notable for its explicit geopolitical targeting.
Key TTPs mapped to MITRE ATT&CK®:
Initial Access (TA0001): Historically, the group has exploited vulnerabilities in public-facing applications, particularly RDP and VPN servers (Exploit Public-Facing Application: T1190).
Execution (TA0002): The group makes extensive use of built-in tools like PowerShell (Command and Scripting Interpreter: T1059.001) to execute payloads and move laterally.
Impact (TA0040): The operation is financially motivated but directed by state interests. It has resurfaced offering an 80% profit share to affiliates who successfully attack targets in the U.S. and Israel, clearly aligning its criminal enterprise with Iran’s geopolitical objectives.
VIII. MALWARE ANALYSIS
Analysis of newly discovered or trending malware provides insight into attacker innovation and preferred infection vectors.
Interlock RAT
Description: A new, resilient variant of the Remote Access Trojan (RAT) associated with the Interlock ransomware group. Identified on July 14, 2025, this malware is engineered for stealth and persistence.
Key Feature: Its primary purpose is to establish a long-term foothold within a victim network, conduct reconnaissance, exfiltrate valuable data, and pave the way for the final ransomware payload deployment.
Distribution: While initial vectors are under investigation, delivery is likely via targeted phishing campaigns containing malicious attachments or links.
Sinobi Ransomware
Description: A new crypto-ransomware family that emerged in late June 2025. It uses a standard combination of AES and RSA encryption and drops a ransom note demanding contact via a Tor-based chat.
Key Features: The malware exhibits concerning capabilities for lateral movement. It actively checks for connected USB devices to potentially spread to other systems and attempts to access the Windows Credential Manager to steal stored credentials.
Significance: The combination of data encryption with credential theft and worm-like propagation capabilities makes Sinobi a significant threat, capable of rapidly compromising an entire network.
IX. RECOMMENDATIONS
Based on this week’s analysis, we provide the following recommendations, tailored for both executive leadership and technical operations teams.
For Non-Technical / Executive Leadership
Acknowledge and Address Supply Chain Risk: The security of your organization is dependent on the security of your vendors. Mandate rigorous security assessments for all critical third-party partners. A breach at a supplier, as seen with Louis Vuitton, is a breach of your organization.
Champion a Culture of Security Vigilance: The human element remains a primary target. With sophisticated social engineering on the rise, the risk of employee error is heightened. Invest in and champion continuous security awareness training that addresses modern vishing and phishing tactics.
Prioritize Resilience Over Prevention Alone: The speed of zero-day exploitation means that a prevention-only strategy is insufficient. A successful breach should be treated as an inevitability. Ensure that your investment and planning reflect this reality by funding and regularly testing robust business continuity, disaster recovery, and incident response plans.
For Technical / Security Operations Teams
Immediate Action – Remediate Known Exploited Vulnerabilities: Prioritize the immediate patching of CVE-2025-47812 (Wing FTP). This is not a theoretical risk; it is confirmed to be under active exploitation. Use threat intelligence and CISA’s KEV catalog as a primary driver for your vulnerability management prioritization.
Harden Against Identity Attacks:
Enforce phishing-resistant Multi-Factor Authentication (MFA) across all externally facing services, especially for remote access VPNs, cloud administration consoles, and email.
Specifically review and harden security protocols for IT help desks and other support functions, as they are prime targets for social engineering.
Enforce the principle of least privilege for all user and service accounts to limit the potential impact of a compromised credential.
Secure the Network Edge:
Audit all internet-facing services. Restrict access to management interfaces and database ports from the public internet unless absolutely necessary.
Deploy a Web Application Firewall (WAF) to protect against common web-based exploits.
Adopt an “Assume Breach” Threat Hunting Posture: When a malware infection is detected, do not treat it as a single, contained event. Assume broader network access has been achieved. Immediately escalate to a full incident response and threat hunting cycle. Proactively search for signs of lateral movement, credential dumping, and persistence establishment.
X. ANALYST NOTES
The convergence of threats observed this week points to several strategic shifts in the cybersecurity landscape that demand a re-evaluation of traditional defensive postures.
First, the weaponization of the human element has reached a new level of maturity. Groups like Scattered Spider are not just sending phishing emails; they are systematically exploiting corporate processes and the inherent human desire to be helpful. Their targeting of call centers and IT help desks is a calculated strategy that bypasses billions of dollars in technical security controls by attacking the person on the other end of the phone. This necessitates a shift in defense from purely technical solutions to a socio-technical approach that hardens processes and better prepares support staff for sophisticated manipulation.
Second, the speed of exploitation continues to accelerate. The timeline from the disclosure of the Wing FTP vulnerability to its active exploitation in the wild was less than 24 hours. This has effectively closed the “grace period” for patching. A security posture based on patching after a vulnerability is announced is fundamentally broken. The new standard must be a proactive, intelligence-led defense that includes continuous attack surface monitoring and the ability to implement compensating controls before a patch is even available.
Finally, the line between cybercrime and nation-state activity continues to blur. The re-emergence of a state-backed RaaS like Pay2Key, which openly directs criminal affiliates toward geopolitical targets, demonstrates how nation-states can leverage the cybercrime ecosystem as a deniable and scalable tool of statecraft. This dramatically increases the risk for any organization, as they can be targeted simply for their perceived nationality or role in a critical supply chain. The margin for error has vanished, and only organizations that can operate at the speed of the threat will remain resilient.
XI. CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
